JOHNTHERIPPER — Practical Guide

1. INTRODUCTION

John the Ripper (JtR) is a fast and powerful password cracking tool.

It supports:

bash
Linux /etc/shadow hashes
bash
Windows NTLM hashes
bash
ZIP/RAR archives
bash
SSH private keys
bash
Kerberos tickets

Used in pentesting, CTFs, OSCP labs, and digital forensics.

2. BASIC SYNTAX

Run John on a hash file:

bash
john hashes.txt

Show cracked passwords:

bash
john --show hashes.txt

Resume interrupted cracking:

bash
john --restore

3. COMMON HASH FORMATS

Linux shadow hashes:

Formats: sha512crypt, md5crypt, bcrypt, yescrypt

Windows NTLM hashes:

Format: NT

ZIP / RAR archive hashes:

Formats: zip, rar

SSH private key hashes:

Format: SSH

4. IDENTIFY HASH TYPE

List all supported formats:

bash
john --list=formats

Auto-detect hash format:

bash
john hashes.txt

Force a format manually:

bash
john --format=NT hashes.txt

5. WORDLIST ATTACK

Crack using a wordlist:

bash
john --wordlist=rockyou.txt hashes.txt

Use mutation rules:

bash
john --wordlist=rockyou.txt --rules hashes.txt

Rules generate variations like:

password123 → Password123!

admin → admin2024

6. INCREMENTAL / BRUTE FORCE MODE

Pure brute force:

bash
john --incremental hashes.txt

Digits only:

bash
john --incremental=digits hashes.txt

Alphanumeric mode:

bash
john --incremental=alnum hashes.txt

7. MASK ATTACKS (PATTERN-BASED)

Crack based on known structure.

Password starts with "P" + 6 digits:

bash
john --mask=P?d?d?d?d?d?d hashes.txt

8 lowercase characters:

bash
john --mask=?l?l?l?l?l?l?l?l hashes.txt

8. CRACKING ZIP / RAR ARCHIVES

Extract hash:

bash
zip2john file.zip > zip.hash
bash
rar2john file.rar > rar.hash

Crack it:

bash
john zip.hash --wordlist=rockyou.txt

9. CRACKING SSH PRIVATE KEYS

Extract hash:

bash
ssh2john id_rsa > rsa.hash

Crack it:

bash
john rsa.hash --wordlist=rockyou.txt

10. CRACKING WINDOWS NTLM HASHES

bash
john --format=NT hashes.txt --wordlist=rockyou.txt

NTLM example:

aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c

11. POT FILE (CRACKED PASSWORD STORAGE)

John stores cracked passwords in:

~/.john/john.pot

Show cracked entries:

bash
john --show hashes.txt

12. SESSION MANAGEMENT

Start named session:

bash
john --session=myjob hashes.txt

Restore session:

bash
john --restore=myjob

13. PERFORMANCE TIPS

Crack in this order for best efficiency:

1. Wordlist mode (fastest)

2. Wordlist + rules

3. Mask attacks (targeted brute force)

4. Incremental mode (slowest)

14. REAL PENTEST & CTF EXAMPLES

Crack Linux shadow:

bash
unshadow passwd shadow > combo.txt
bash
john combo.txt --wordlist=rockyou.txt

Crack Windows SAM:

bash
samdump2 SYSTEM SAM > ntlm.txt
bash
john ntlm.txt --format=NT --wordlist=rockyou.txt

Crack SSH key:

bash
ssh2john id_rsa > hash.txt
bash
john hash.txt --wordlist=rockyou.txt

Crack ZIP archive:

bash
zip2john secrets.zip > zip.hash
bash
john zip.hash --wordlist=rockyou.txt
← Back to tutorial